How to selectively expose Umbrels Hidden Tor Services to Clearnet (Reverse Proxy SSL)

Support and Troubleshooting
1

This solution is based on the BTCPayserver Reverse Proxy method:
https://docs.btcpayserver.org/ReverseProxyToTor/

You can expose Electrum Server, LNDHub, BTCPayServer or any other TOR hidden service running on your Umbrel node to a clearnet HTTPS URI, without exposing your umbrel nodes public IP.

I used this method to link my TOR only Electrum Server on my Umbrel Node to BlueWallet on Android. There is a known issue with BlueWallets built in TOR proxy that causes the APP to crash on Android.

This solution requires a publicly accessible server to act as proxy, if you have your own website you likely have all that you need to run the public proxy.

Requirements:

  • Domain name + SSL Certificate
  • SSH access to a VPS/Server that hosts your domain/site

It uses the following Docker instance to run a Proxy with HTTPS/SSL support
https://hub.docker.com/r/damanic/socatorssl

If your server does not already have docker installed - > docs.docker.com/get-docker/

From command line pull in the SocaTorSSL docker container :

docker pull damanic/socatorssl

In the following example /path/to/ssl/certificate points to the host directory on your server that contains your domains SSL certificates.

To expose Electrum Server:

docker run -d \
    -p 5100:5100 \
    -e "PUBLIC_PORT=5100" \
    -e "TOR_SITE=zqktlwiuavvvqqt4ybvgvi7tyo4hjl5xgfuvpdf6otjiycgwqbym2qad.onion" \
    -e "TOR_SITE_PORT=50001" \
    -e "SSL_CERT=cert.pem" \
    -e "SSL_KEY=key.pem" \
    --name umbrelProxyElectrum \
    --mount type=bind,source=/path/to/ssl/certificate,target=/etc/socatorssl/certs/ \
    damanic/socatorssl

You can now access your Umbrel nodes electrum service via https://yourdomain.com:5100

To expose LNDHUB:

docker run -d \
    -p 5101:5101 \
    -e "PUBLIC_PORT=5101" \
    -e "TOR_SITE=324g3g435h425h35hrgedhgpdf6otjiycgwqbym2qad.onion" \
    -e "TOR_SITE_PORT=80" \
    -e "SSL_CERT=cert.pem" \
    -e "SSL_KEY=key.pem" \
    --name umbrelProxyLndHub \
    --mount type=bind,source=/path/to/ssl/certificate,target=/etc/socatorssl/certs/ \
    damanic/socatorssl

You can now access your Umbrel nodes lndhub service via https://yourdomain.com:5101

You can spin up as many docker instances as you need to open additional services to clearnet.

NOTE: The TOR .onion URL for each service is unique, you can find the URL for the Electrum Server by using the wallet connect feature in umbrel.local admin area. The lndHub URL is exposed by the blue wallet LNDHUB barcode.

If you SSH into your umbrel node you can find all the TOR services, addresses and ports in the torrc* files stored in /umbrel/tor/

WARNING: Whilst a proxy will protect your Umbrel Nodes public IP from being known, any service you open up to proxy will become discoverable on clearnet.

5 Likes
2

Hi, is it possible to export Vaultwarden service for use without tor but only locally (no VPS/Server)?
This way I think it would work on my Bitwarden phone app using Tailscale. What do you think?

3

It should work anyway with Tailscale. Just use Tailscale umbrel IP + port in your mobile Bitwarden (Tailscale on mobile activated)
Here you have the port for Tailscale used in Umbrel

1 Like
4

I almost got that working with tailscale, but I believe the connection has to be https which I was not able to get working on the umbrel. I think this is possible in tailscale via their beta options to install SSL keys and such but to be honest I gave up as I didn’t want to hose my umbrel due to lack of knowing what I was doing…

I have now taken the approach to only using my umbrel for Bitcoin related activities…

5

I use Bitwarden as backup of my KeePass (works offline and remote file on any platform)

6 
APP_VAULTWARDEN_IP="10.21.21.46"
APP_VAULTWARDEN_PORT="8089"

Ok so using the IP Tailscale gives for my Umbrel and that port I can access Vaultwarden from my phone’s browser. But I can’t login since its http instead of https… so close! Error: This browser requires HTTPS to use the web vault

But works perfect by entering http://tailscale_umbrel_ip:8089 in the Bitwarden Android app!! Success! Thanks.

2 Likes
7

Install bitwarden app in mobile and use tailscale IP+port to configure it

1 Like
8

Where is the btcpay code?? I’m so lost. I just want to get my btcpay button working on tor. Anybody help. Is squarespace blocking

9

You seem to be very active on here. Can you help me. You had told me about tailscale. I set it up but nothing is working. Do I need to set ports on my router? I changed my dns have to have a cname that points to the tailscale domain? nothing changed that I can see.

10

I have read through your lists and haven’t found this answer? This question is probably more focused on connecting a website from squat space to work with btcpay button

11

https://docs.btcpayserver.org/Deployment/ReverseProxyToTor/#reverse-proxy-to-tor

1 Like